Speak with an Engineer
Not sure where to start? We're here to help walk you through the process, understand your environment, and provide the guidance you need to achieve cybersecurity maturity. Get in touch today.Get in Touch
We provide comprehensive services to help customers meet DFARS and CMMC requirements at a fraction of the cost of doing it yourself.
Beginning Nov. 30th, 2020, the new DFARS Provision 252.204-7019 will require DoD contractors who handle Controlled Unclassified Information (CUI) to submit to and record a DoD Assessment of their compliance with the 110 controls documented in NIST SP 800-171. Find out more about what this DFARS rule change means for you.
Defense contractors are facing increased scrutiny of their organizations’ cybersecurity programs and a larger obligation to demonstrate that they are compliant with the 110 controls defined in NIST SP 800-171.
NIST 800-171 requires organizations to develop a System Security Plan (SSP) describing their program and a Plan of Action and Milestones (POAM) outlining how and when they would mitigate any gaps in their program. A new rule that goes into effect Nov. 30th also requires contractors to submit the results of a self-assessment and a score for their program into a government database of supplier’s performance information.
Some organizations will be required to undergo government assessment and validation of their program as well. Additionally, prime contractors now have a responsibility to ensure their subcontractors have submitted their information prior to awarding a contact.
Every defense contractor must meet the requirements of a Basic Assessment – a self-assessment using the organization’s existing System Security Plan (SSP) and Plan of Actions and Milestones (POAM) to calculate their own score and then entering it on SPRS. The SPRS entry will consist of six fields: SSP name, CAGE code associated with the plan, a brief description of the plan architecture, date of the assessment, total score, and the date a score of 110 will be achieved. If you already have an SSP and POAM, it should take less than an hour to complete the Basic Assessment.
Some organizations will be required to undergo further assessments as described below:
Additionally, prime contractors now have a responsibility to ensure their subcontractors have submitted their information prior to awarding a contact.
These new requirements (and increased scrutiny of old requirements) will potentially impact you as a defense contractor in a number of ways:
Develop or update your cyber program. Defense contractors should consider hiring expertise now to help them with their assessment and score.
We offer the most comprehensive solution to help you write policies, implement technology, document your practices, assess business risk and put into place the cyber program management needed to ensure you mature to meet the increasing demands on the Defense Industrial Base.
Ardalyst approaches this problem differently. We recognize this isn’t simply a technical problem with a technical solution. Our team combines the technical proficiency of system administration and cyber security experts with seasoned business risk and operations analysts to provide a comprehensive solution to a multi-faceted problem. We examine not just the technical controls that make up your cybersecurity defenses but apply business risk assessment to your unique drivers and the way you want to position yourself within your market.
DFARS Provision 252.204-7019 Essentials Evaluation – Free
We will interview your key staff to gain an understanding of your cybersecurity program and the controls you currently have in place. We will provide you with a preliminary score out of 110 controls and a summary report of our findings which can be incorporated into your SSP and POAM. (4 hours)
DFARS Provision 252.204-7019 Comprehensive Evaluation (includes a complimentary CMMC Level 3 Pre-Evaluation) – $9,500
This includes everything in the Essentials Evaluation, plus a CMMC Level 3 Pre-Evaluation. We will provide you with recommendations and a roadmap for remediating existing gaps. (1-2 weeks)
DFARS Provision 252.204-7019 Transformational Evaluation (includes a complimentary CMMC Level 3 Evaluation) – $19,500
This includes everything in the Comprehensive Evaluation plus and executive workshop to help your leadership team understand your program roadmap. We will provide assistance in drafting your SSP and POAM describing your process and timeline for eliminating gaps and vulnerabilities in your system. (1 month)
Start your CMMC journey now with a pilot of your full cyber program. Migrate a sample of 5 people from your organization to Microsoft GCC-High and receive everything in the Transformational Evaluation plus: